LJK/Security Reference Manual
FAILIGNORE
Determine whether specification of no action when security alarms
cannot be generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
No action on failure is specified in violation of policy
|
|
REQUIRED
|
No action on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=IGNORE with the SET AUDIT command
causes no action to be taken when security alarms cannot be written to
the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy Specification of IGNORE as the failure mode is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for no action as
the failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit PROHIBITED TRY to establish a prohibition
against ignoring as the failure mode only for those versions of VMS
(version 5.4 through 5.5) where other failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
FALSE
|
|
REQUIRED
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE, TRUE or TRY
|
<node>
|
|
REQUIRED
|
FALSE or TRUE
|
<node>
|
Practical considerations IGNORE provides the best continuity of service
in the event that disk space is exhausted on the volume where the OPCOM
logs are written. �
FAILURE
Determine whether auditing for access failure events conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
FAILURE security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
FAILURE security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
FAILURE security audits are enabled in violation of policy
|
|
AUREQUIRE
|
FAILURE security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=FAILURE=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when
access attempts to files fail. Tests for this element
determine whether those audits or alarms are enabled or not.
Default policy Enabling of FAILURE security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of FAILURE security auditing. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Enabling FAILURE security alarms and audits
will cause a certain number of false alarms due to typing errors and
similar mistakes. Making effective use of FAILURE security alarms and
audits requires a willingness to sort through the incidental errors
looking for those errors which represent a coordinated attack. �
FAILWAIT
Determine whether specification of WAIT when security alarms cannot be
generated conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
WAIT on failure is specified in violation of policy
|
|
REQUIRED
|
WAIT on failure is not specified in violation of policy
|
Description
Use of the qualifier /FAILURE_MODE=WAIT with the SET AUDIT command
causes the system to wait for resources when security event information
cannot be written to the OPCOM mailbox (only in VMS V5.4 through V5.5).
Default policy Specification of WAIT as the failure mode is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for WAIT as the
failure mode for security alarms. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
wait as the failure mode only for those versions of VMS (version 5.4
through 5.5) where such failure modes are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations If individual users have sufficient disk quota
to exhaust disk space on the volume where OPCOM logs are written, they
can force others into MWAIT if WAIT is the failure mode for security
alarms.
Likewise, if the amount of disk space available for writing OPCOM logs
is small, individual users could force a WAIT by maliciously generating
a large number of security alarms.
These possibilities for malicious interference increase the importance
of ensuring that all usernames established on VMS systems are assigned
to known individual users, rather than being shared. �
FINCRASH
Determine whether specification of an Audit Server final action of
crashing the system when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
CRASH action is specified in violation of policy
|
|
REQUIRED
|
CRASH action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=CRASH with the SET AUDIT/SERVER= command
causes the system to crash when the Audit Server runs out of buffer
space.
Default policy Specification of CRASH as the final action is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for CRASH as the
final action for the Audit Server. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
CRASH as the final action only for those versions of VMS (version 6.0
and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations Specifying CRASH as the final action for the
Audit Server is only appropriate where the need for auditing is more
crucial than the need for continuity of service. �
FINIGNORE
Determine whether specification of an Audit Server final action of
ignoring new events when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
IGNORE_NEW action is specified in violation of policy
|
|
REQUIRED
|
IGNORE_NEW action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=IGNORE_NEW with the SET AUDIT/SERVER=
command
causes the Audit Server to ignore new events when it runs out of buffer
space.
Default policy Specification of IGNORE_NEW as the final action is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for IGNORE_NEW as the final action for the Audit Server.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
IGNORE_NEW as the final action only for those versions of VMS (version
6.0 and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations If a particular factor caused the overflow of
audit events, some initial events from that factor will probably
already be processed, so all knowledge of a repeating event will not be
lost if IGNORE_NEW is specified as the final action for the Audit
Server. �
FINPURGE
Determine whether specification of an Audit Server final action of
ignoring new events when it runs out of buffer space conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
PURGE_OLD action is specified in violation of policy
|
|
REQUIRED
|
PURGE_OLD action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=PURGE_OLD with the SET AUDIT/SERVER=
command
causes the Audit Server to purge old events when it runs out of buffer
space.
Default policy Specification of PURGE_OLD as the final action is
neither prohibited nor required. Customizing Set
limits TRUE to establish a general prohibition of or
requirement for PURGE_OLD as the final action for the Audit Server.
Then establish exemptions for any individual nodes
which are not to be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
PURGE_OLD as the final action only for those versions of VMS (version
6.0 and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations PURGE_OLD is the default Audit Server final
action as VMS ships. �
FINRESTART
Determine whether specification of an Audit Server final action of
restarting the Audit Server when it runs out of buffer space conforms
to policy.
Violation reports
| Constraint |
Nature of the violation |
|
PROHIBITED
|
RESTART action is specified in violation of policy
|
|
REQUIRED
|
RESTART action is not specified in violation of policy
|
Description
Use of the value FINAL_ACTION=RESTART with the SET AUDIT/SERVER= command
causes the Audit Server to restart the audit server when it runs out of
buffer space.
Default policy Specification of RESTART as the final action is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for RESTART as the
final action for the Audit Server. Then establish
exemptions for any individual nodes which are not to
be subjected to the general rule.
Set limit REQUIRED TRY to establish a requirement for
RESTART as the final action only for those versions of VMS (version 6.0
and above) where such final actions are supported.
selector
Limits
| Constraint |
Value |
Default |
|
PROHIBITED
|
FALSE or TRUE
|
FALSE
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
PROHIBITED
|
FALSE or TRUE
|
<node>
|
|
REQUIRED
|
FALSE, TRUE or TRY
|
<node>
|
Practical considerations The RESTART action is not recommended in the
VMS Documentation. �
GRPPRV
Determine whether auditing for events involving the use of GRPPRV
privilege conforms to policy.
Violation reports
| Constraint |
Nature of the violation |
|
ALPROHIBIT
|
GRPPRV security alarms are enabled in violation of policy
|
|
ALREQUIRE
|
GRPPRV security alarms are disabled in violation of policy
|
|
AUPROHIBIT
|
GRPPRV security audits are enabled in violation of policy
|
|
AUREQUIRE
|
GRPPRV security audits are disabled in violation of policy
|
Description
Use of the qualifiers /CLASS=FILE and
/ENABLE=ACCESS=GRPPRV=(access,...) with the SET AUDIT/ALARM
or SET AUDIT/AUDIT command causes
the corresponding reporting when GRPPRV
privilege is used to obtain the specified type of access to files.
Tests for this element determine whether those audits
or alarms are enabled or not.
Default policy Enabling of GRPPRV security alarms or audits is neither
prohibited nor required. Customizing Set limits TRUE
to establish a general prohibition of or requirement for the enabling
of GRPPRV security auditing. Then establish exemptions
for any individual nodes which are not to be subjected to the general
rule.
selector
Limits for this element can take a
selector consisting of a VMS access type: READ, WRITE,
EXECUTE, DELETE or CONTROL. LOGICAL and PHYSICAL access to devices are
indicated by EXECUTE and DELETE respectively.
Thus, each limit can be set once for each possible
access type. If you do not specify a selector when
changing limits, your change applies to all access
types.
Limits
| Constraint |
Value |
Default |
|
ALPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
ALREQUIRE
|
FALSE or TRUE
|
FALSE
|
|
AUPROHIBIT
|
FALSE or TRUE
|
FALSE
|
|
AUREQUIRE
|
FALSE or TRUE
|
FALSE
|
Exemptions
| Constraint |
Value |
Parameters |
|
ALPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
ALREQUIRE
|
FALSE or TRUE
|
<node>
|
|
AUPROHIBIT
|
FALSE or TRUE
|
<node>
|
|
AUREQUIRE
|
FALSE or TRUE
|
<node>
|
Practical considerations Before enabling GRPPRV alarms, it is wise to
consult with those holding the privilege to determine it's frequency of
use. Although proper operations should be based on regular protection
mechanism for day-to-day use, some users may have developed a habit of
using GRPPRV for normal production purposes. GRPPRV audits on
the other hand, provide a silent record of the activities of privileged
users. �